NEWS

< http://www.securityfocus.com/news/7622
>

In a data-mining society, privacy advocates
shudder

By Brian Bergstein, The Associated PressDec 10
2003 9:02PM

Edward Socorro had a good thing going as a sales manager
with Hilton Hotels Corp. But not long after he started, a company hired by
Hilton to do background checks on new employees reported that Socorro once
spent six months in jail.

In reality, Socorro was no ex-con. He
protested that the background check was wrong. But still he was fired. And
although he later settled a lawsuit against Hilton, the damage was done.

Socorro learned the hard way about an increasing danger in our
ever-more-networked society: the reliance of corporations and governments
on commercially accessible databases that mine the paper trails of our
lives. It figures to be among vital privacy issues garnering wider
attention in 2004.

Databases have become remarkably efficient and
inexpensive to query. Many employers, schools and even volunteer
organizations now trust them in making decisions about whom to take on and
whom to avoid.

But these databases are not infallible. They can be
misinterpreted or only partially accurate, showing arrests or criminal
records that were later wiped clean -- just enough to cost someone a job.

Privacy advocates and civil liberties groups are alarmed. They
think some of these background checks could violate federal employment
laws and credit-reporting rules that let consumers examine information on
file about them.

At the very least, the Internet has made it far
easier for anyone to obtain not only someone else's birthdates and social
security numbers but also liens, lawsuits, divorces and other personal and
potentially embarrassing -- but technically public -- information.
Such material was once available only to people who
bothered to dig through musty courthouse files.

"I consider the
issue of public records on the Internet to be one of the most challenging
public policy issues of our time," said Beth Givens, director of the
Privacy Rights Clearinghouse.

Activists have been sounding alarms
for years about the decline of privacy in the digital age, with the public
sometimes responding.

Witness attempts by lawmakers in 2003 to
stomp out telemarketing and spam, albeit with limited success. Or how
spooked citizens recently recirculated e-mails warning that Google can
within seconds deliver the names and addresses that coincide with listed
phone numbers.

"We
are really on the cusp of creating a surveillance society where every
action, every utterance -- some might say every thought -- can be traced,"
said Barry Steinhardt, director of the American Civil Liberties Union's
technology and liberty program.

The next year will bring more
debate over radio-frequency identification, or RFID, which lets stores and
suppliers track inventory. Critics fear it could secretly monitor
consumers' behavior or whereabouts; retailers say those worries are
overblown partly because RFID tags will be disabled at checkout counters.

Meanwhile, the U.S. government, acting on post-Sept. 11 mandates,
will be monitoring travel more closely.

The government plans to
begin scanning and storing foreign visitors' facial images and
fingerprints in 2004. It also is developing CAPPS II -- the Computer
Assisted Passenger Prescreening System -- which is expected to check
travelers' credit reports, consumer transactions and other personal data.

While a privacy outcry led Congress to scale back the Pentagon's
Total Information Awareness data-mining program this year, several states
are cooperating on a similar terrorism and law-enforcement database
project called Matrix, which is maintained by a private company in
Florida.

Critics of such systems say they enable an unprecedented
amount of snooping on law-abiding citizens but do little to actually
enhance security -- consequently creating a dangerous, false sense of
safety.

Other activists worry that detailed databases are ripe
material for identity thieves or even terrorists.

For example,
Robert Bulmash, founder of the Private Citizen advocacy group, points out
that Edith Roman Associates Inc., which sells lists to direct-marketing
companies, offers a file identifying 124,000 executives and officials who
make homeland security-related decisions.

Or consider that a
leading records aggregator, Acxiom Corp., was struck last year by a hacker
who downloaded sensitive information belonging to about 10 percent of
Acxiom's corporate customers.

"So long as there are databases out
there that collect and maintain and put online aspects of our personal
life, they're subject to theft and hacking and misuse," Bulmash said.

Bulmash believes companies should not sell or share personal data
on citizens without getting explicit consent, a model followed in much of
Europe.

And like other privacy watchdogs, Bulmash suggests that
Americans buy and check their credit reports and files maintained by
records companies like Acxiom or ChoicePoint Inc. to avoid mixups like the
one that scorched Socorro.

Socorro had committed a minor
infraction in Illinois -- now expunged from his record, according to his
attorney -- that brought him six months of supervision, a wrist-slap often
given for speeding tickets.

After that erroneously came up as jail
time and Hilton fired him, it took Socorro seven months to find a new job.
He eventually settled the lawsuit against Hilton and background checker
IMI Data Search Inc.

To be sure, society can benefit from making
more information publicly accessible. Quickly scanning city property
records, for example, makes it far easier to see whether the assessor's
nephew is getting a sweet deal on his taxes.

In hopes of serving
such ideals while enhancing privacy, technology researchers are trying to
develop ways to shuttle files around the Internet and within organizations
so that only certain people can see certain pieces of information at a
time.

In fact, the National Science Foundation recently launched a
$12.5 million, five-year project to explore whether Internet communication
protocols and applications _ which were designed for maximum openness --
could be rewritten to incorporate copyright law, medical-privacy rules and
other consumer protections.

Even if the project succeeds, one
participant, Yale University computer science professor Joan Feigenbaum,
believes new information laws will be necessary, to reflect the
sensitivity of "bread crumbs" we leave in the networked world.

But
many privacy watchdogs fear legislative answers won't come soon. For
evidence, they point to recent changes in the Fair Credit Reporting Act
that added some new consumer protections but pre-empted more powerful --
and forward-looking -- measures enacted by some states.

"Our
privacy is on life support," Steinhardt said. "And we need to take some
heroic measures to save it."

Copyright 2004 Associated Press. All
rights reserved.This material may not be published, broadcast,
rewritten, or redistributed.